Two-Factor Authentication adds additional authentication on top of the normal username / password. At first stage user is asked the username/password and based on that information, an one-time password (usually generated from a smartphone app) is asked. So, even if the users username/password is known to attacker, the attacker still would not able to access the system.